Bug 35562 - UMC module AD Connection should check Administrator account
UMC module AD Connection should check Administrator account
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 3.2
Other Linux
: P5 enhancement (vote)
: UCS 4.0-0-errata
Assigned To: Arvid Requate
Stefan Gohmann
:
Depends on:
Blocks: 37168
  Show dependency treegraph
 
Reported: 2014-08-04 18:50 CEST by Arvid Requate
Modified: 2015-01-29 11:42 CET (History)
9 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Error handling
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2014-08-04 18:50:10 CEST
Currently a user of the UMC module AD-Connection can enter any account in the join dialog.

The UMC module should check that the standard Administrator account is used for this (which also exists in UCS OpenLDAP before the join).

Otherwise the join of univention-samba will fail later on.



+++ This bug was initially created as a clone of Bug #34091 +++
Comment 1 Arvid Requate univentionstaff 2014-08-04 18:54:28 CEST
Note that it's required to use the localized spelling of the account, as it is found in Active Directory (e.g. "Administrateur" in french AD).

The AD and UCS accounts are matched via their Well Known RIDs (and the english spelling in UCS get's replaced by the localized version during the join process). This matching process is only performed for Well Known Accounts.
Comment 2 Arvid Requate univentionstaff 2014-12-09 13:31:11 CET
Advisory: 2014-12-09-univention-ad-connector.yaml
Comment 3 Stefan Gohmann univentionstaff 2014-12-10 07:55:41 CET
The tests still fail:

python-univention-lib                   4.0.5-7.291.201412091559

Starting univention-s4-connector daemon.
Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/main.py", line 41, in <module>
    import univention.s4connector
  File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 53, in <module>
    univention.admin.modules.update()
  File "/usr/lib/pymodules/python2.7/univention/admin/modules.py", line 92, in update
    os.path.walk(dir, _walk, p)
  File "/usr/lib/python2.7/posixpath.py", line 246, in walk
    walk(name, func, arg)
  File "/usr/lib/python2.7/posixpath.py", line 238, in walk
    func(arg, top, names)
  File "/usr/lib/pymodules/python2.7/univention/admin/modules.py", line 76, in _walk
    m=__import__(mod, globals(), locals(), name)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 52, in <module>
    import univention.lib.admember
  File "/usr/lib/pymodules/python2.7/univention/lib/admember.py", line 57, in <module>
    import dns.resolver
  File "/usr/share/pyshared/univention/s4connector/s4/dns.py", line 36, in <module>
    import univention.s4connector.s4
  File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 720, in <module>
    class s4(univention.s4connector.ucs):
AttributeError: 'module' object has no attribute 's4connector'
failed.
Comment 4 Arvid Requate univentionstaff 2014-12-10 16:07:40 CET
Uh, nasty side effect. I added a workaround to fix this.
Comment 5 Stefan Gohmann univentionstaff 2015-01-20 21:47:39 CET
YAML: OK, some small adjustments (r57401)

It works now like expected. I could rename the Administrator user and the join was possible.

If I try to join as a Non-Domain Admin user, I get the following message (in German):

"
Ein Fehler ist aufgetreten:

Die Anfrage konnte nicht ausgeführt werden.

Fehlernachricht des Servers:

Das angegebene Konto ist nicht Mitglied der Gruppe Domain Admins in AD.
"

At least the last sentence should be adjusted, for example:

Der angegebene Benutzer ist kein Mitglied der Gruppe Domain Admins im Active Directory. Dies ist eine Voraussetzung für den Active Directory Domänenbeitritt.
Comment 6 Arvid Requate univentionstaff 2015-01-21 11:43:56 CET
Ok, message adjusted, Advisory updated.
Comment 7 Stefan Gohmann univentionstaff 2015-01-22 07:12:00 CET
Message during module installation looks good.
Comment 8 Janek Walkenhorst univentionstaff 2015-01-29 11:41:29 CET
<http://errata.univention.de/ucs/4.0/55.html>
Comment 9 Janek Walkenhorst univentionstaff 2015-01-29 11:42:55 CET
<http://errata.univention.de/ucs/4.0/56.html>